Increasing numbers of industrial and consumer appliances, as well as measuring laboratory apparatus and electronic test equipment, are incorporating microprocessors. The intent in such applications is generally not to provide a capability to run programs such as can be done on programmable calculators and desktop computers. Instead, the designer is often replacing dedicated control circuitry with "smarts." The use of a microprocessor to control an instrument or an appliance can often make it work as well or better with fewer discrete components, make it work better than was previously possible, or make feasible new operational features that would otherwise be impractical or impossible. A microprocessor, its memory and I/O circuits used in an instrument or an appliance for these or related purposes is sometimes called an embedded system. It is in that sense that the term "embedded system" is used in this Specification.
Embedded systems may be used to control the actuation of an operation or process whose performance is to be subordinated to certain control conditions. The control conditions could pertain to ensuring human safety, preventing damage to equipment, preventing erroneous or misleading outcomes, or merely avoiding inconvenience. We shall refer to an operation receiving protection through such controlling conditions as a "critical" operation. Certain problems can arise when a microprocessor is used in the control of a critical operation. In one sense the microprocessor itself may be more complex than the system it is used to control. Certain failure modes peculiar to the microprocessor can raise questions about its "trustworthiness." It would be desirable if the advantages of the microprocessor's powerful processing capability could be made available without at the same time increasing the vulnerability of the system to miscontrol of the critical operation arising out of increased system complexity. The techniques described herein help attain that goal.
As an example, consider a hypothetical microwave oven having a button to push for turning on the oven. The designer would like to make very sure that no microwave energy will be generated unless the door is shut. It is common for some sort of electro-mechanical power interlock to be relied upon for this assurance. And while that is a generally acceptable solution, it requires additional discrete components that are subject to possible reliability problems. It is an attractive alternative to sense the status of the door with a low power but inherently very reliable device (perhaps magnetic or optical) and use the microprocessor to decide whether or not to apply power.
As an additional example, consider how embedded systems have changed electronic test equipment. Increasing numbers of electronic measuring instruments are incorporating microprocessors and relying for their accuracy upon calibration information stored in non-volatile Read/Write Memory (RWM). The stored calibration information can often be changed from the front panel during a calibration procedure. To meet the demands of various government regulations for defense contractors and to assist those in charge of electronic maintenance, a security code mechanism can be employed to minimize the likelyhood that the calibration information will be deliberately altered by an unauthorized person or inadvertantly altered by an unskilled user of the instrument.
Both of the above examples also lend themselves to illustrating instances of "trustworthiness" problems that can arise when using embedded systems. In the case of the calibration constants stored in non-volatile memory, it is appropriate to consider how to protect that information from the microprocessor itself. Suppose it gets "zapped" with a static discharge and temporarily runs amok. Might not a traumatized microprocessor become a fox in the chicken coop, and without warning, destroy or alter valuable calibration data costing time and money to replace? And what of the subsequent problems caused by inaccurate measurements unknowingly thought to be accurate? It would be desirable if the calibration information could be protected against alteration except under well defined and controlled circumstances that are unquestionably valid.
Consider again the microwave oven with an embedded system controlling the generation of microwave power. If a traumatized microprocessor began to execute code at random there is a certain probability that it will energize the magnetron even though the door is open. All that is required is that execution begin after the check for the door and ahead of the energizing of the magnetron.
Additional checks in the firmware cannot, by themselves, avoid these difficulties. If there is a section of code that, when executed, turns on the magnetron or writes to the area of memory that holds calibration constants, then the basic vulnerability is present. All that is required is for the program pointer in the microprocessor to land at an address just ahead of the critical instructions. It will then be as if all checks were sucessfully met, since there will be no further opportunity to branch upon detecting their failure; no such detection will be undertaken. This situation is shown in general in FIG. 1.
FIG. 1 shows just one of a plurality of prior art methods of preventing a critical operation unless it is really intended that it be done. Another way is to require that a key be physically fitted to a keylock. Still another is to require that a cover be removed from the instrument and a switch be thrown or a jumper installed or removed. Such methods are generally called "interlocks". Each of these methods has its own disadvantage when used in conjunction with an embedded system. For example, none really addresses the problem of the traumatized or malfunctioning microprocessor while the interlock is disabled during service or routine calibration. They are also subject to failure, can be inconvenient, and are subject to abuse. A key, for example, might always be left in place.
What is needed is a way to ensure that an attempt to perform a critical operation will not be honored unless the execution of the section of code making the attempt is properly and immediately subsequent to successful checks of the appropriate controlling conditions. "Controlling conditions" can include checks to ensure safe operation as well as checks to prevent unauthorized operation.